Data privacy is among the top policy trends of this decade. All over the world, security regulators are coming down heavily on organizations that do not adhere to data privacy requirements. The EU alone, with its General Data Protection Regulation (EU GDPR) has collectively imposed fines of €380 million ($417 million) under GDPR in about 12 months starting May 2018. Regulations in other parts of the world such as the California Consumer Privacy Act (CCPA) are also becoming stringent.
Data Privacy has existed for more than a decade. Privacy policies try to give the data owner (the consumer) the right to know what type of personally identifiable information (PII) is being collected and how it will be used. In addition, privacy regulations are increasingly insisting on allowing the data owner to opt out of having their data used and provide the option of legal action when regulations are breached.
These regulations make common sense. And should therefore be an intrinsic part of system and application design. Essentially the data protection principles should be built “by design and by default”. In simpler words, it means to “knit the fabric with security in each stitch”.
Data Privacy has shot into the limelight recently because the countries and regions adding regulations is growing swiftly. From Argentina to Australia, India, Japan, and Taiwan, over 50 nations already have data privacy laws. And the number of lawsuits based on privacy violations and breaches of individual’s rights is growing.
In response to the concerns around data privacy, the practice and framework of Privacy by Design is gaining traction. The term, as is perhaps already evident, means that security should be built into a product by design instead of being added in later by third party products and services.
When does it apply and to who?
Privacy by Design applies to individuals and organizations engaged in developing or maintaining business processes and IT systems:
- IT Systems: Data protection by design must be well thought through and integrated into projects from the start of a plan. There are ways to ensure this becomes simple: from a SDLC viewpoint:
- Identify privacy and security expectations, PII data elements
- Consider security aspects for application/systems upgrades/revamp
- Identify infrastructure security requirements
- Identify security threats and vulnerabilities
- Review security threats and vulnerabilities from stand point of individuals/data subjects
- Consider data security aspects for the 3 states of digital data – “data at rest”, “data in transit” and “data in use”
- Consider “Security by Design” as a concept and apply the principles
- Consider a layered approach to design and use best practices for ensuring application security e.g. OWASP Top 10 application security risks, VAPT, WAPT
- Demonstrate how privacy and security is built in the architecture/blueprint
- Consider using masking, hashing, encryption, network security, backup, end point security etc. for securing data and infrastructure
- Analyse and implement the fixes required to eliminate “false positives”
- Trace the development to requirements to ensure all security requirements are addressed
- Consider Vulnerability testing including Infrastructure and Application tests, VAPT, WAPT
- Identify clear responsibilities with customers on test scope, provision of data and test environments
- Ensure security requirements are rolled to in production
- Organizations: The performance of business activities requires the identification of data owners in an organization – data being sourced primarily from employees, customers and service providers. Each activity like data collection, deletion and processing requires assignment of role and data owners must be identified in an activity within business process. Consider Privacy by Design philosophy in business processes within functional groups by –
- Ensuring privacy in workflows of business processes and touch points of data exchange between processes
- Design the business activities to protect personal data
- Define role-based accesses
It has become critical to build a privacy culture in organizations as data privacy regulators across the world become more active. Going forward, managing data privacy should be a consideration even before developers get down to writing code.